ClawHub

Upstage Document Parse

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Upstage document-parsing helper, but using it sends selected documents to Upstage's remote API.

Install only if you intend to process documents with Upstage. Use an environment-provided Upstage API key, expect submitted files to leave the local machine, and avoid sending confidential, regulated, or highly sensitive documents unless Upstage's terms, retention, and your organization's policy allow it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation repeatedly shows uploading local files such as PDFs and invoices to a third-party API, but it does not warn users that document contents will leave the local environment and may contain sensitive or regulated data. In a document-parsing skill, this omission is security-relevant because users may assume a local transformation rather than remote processing, increasing risk of inadvertent data disclosure.

External Transmission

Medium
Category
Data Exfiltration
Content
import requests

with open("report.pdf", "rb") as f:
    response = requests.post(
        "https://api.upstage.ai/v1/document-digitization",
        headers={"Authorization": f"Bearer {os.environ['UPSTAGE_API_KEY']}"},
        files={"document": f},
Confidence
91% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
with open("report.pdf", "rb") as f:
    response = requests.post(
        "https://api.upstage.ai/v1/document-digitization",
        headers={"Authorization": f"Bearer {os.environ['UPSTAGE_API_KEY']}"},
        files={"document": f},
        data={"model": "document-parse", "output_formats": "['markdown']"}
Confidence
93% confidence
Finding
https://api.upstage.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Extract Markdown

```bash
curl -X POST "https://api.upstage.ai/v1/document-digitization" \
  -H "Authorization: Bearer $UPSTAGE_API_KEY" \
  -F "document=@report.pdf" \
  -F "model=document-parse" \
Confidence
89% confidence
Finding
https://api.upstage.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Enhanced Mode for Complex Documents

```bash
curl -X POST "https://api.upstage.ai/v1/document-digitization" \
  -H "Authorization: Bearer $UPSTAGE_API_KEY" \
  -F "document=@complex.pdf" \
  -F "model=document-parse" \
Confidence
89% confidence
Finding
https://api.upstage.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Force OCR for Scanned Documents

```bash
curl -X POST "https://api.upstage.ai/v1/document-digitization" \
  -H "Authorization: Bearer $UPSTAGE_API_KEY" \
  -F "document=@scan.pdf" \
  -F "model=document-parse" \
Confidence
89% confidence
Finding
https://api.upstage.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Extract Table Images as Base64

```bash
curl -X POST "https://api.upstage.ai/v1/document-digitization" \
  -H "Authorization: Bearer $UPSTAGE_API_KEY" \
  -F "document=@invoice.pdf" \
  -F "model=document-parse" \
Confidence
91% confidence
Finding
https://api.upstage.ai/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal